K 10
svn:author
V 5
markj
K 8
svn:date
V 27
2021-09-26T15:57:54.935450Z
K 7
svn:log
V 964
freebsd32: Fix a double copyin in sendmsg() and recvmsg()

freebsd32_sendmsg() and freebsd32_recvmsg() both copyin the message
header twice, once directly and once in freebsd32_copyinmsghdr().  The
iovec length from the former is used when copying in msg_iov, but the
rest of the kernel uses the iovec length from the latter.  When
kern_sendit() and kern_recvit() iterate over the iovec to compute the
residual for I/O, they can therefore end up walking past the end of the
copied in iovec, either resulting in a system call error, userspace
memory corruption from uiomove() with invalid iovecs, or a kernel page
fault if the copied-in iovec is followed by an unmapped KVA region.

Reported by:	syzbot+7cc64cd0c49605acd421@syzkaller.appspotmail.com
Reviewed by:	kib, emaste
Sponsored by:	The FreeBSD Foundation

(cherry picked from commit fea1a98ead918b39280b586773a923e76194400b)

Git Hash:   0d2b77383b021646b91b90a4c2a0816af5688553
Git Author: markj@FreeBSD.org
END